Problem
Sigstore verification says "signed by alice@google.com." Auths verification says "signed by did:key:zDnaeozdq..." One is meaningful to a human scanning a release page. The other requires a lookup.
The underlying data exists — allowed signers files map DIDs to emails, attestation chains carry subject metadata, and GitHub SSH key uploads link DIDs to platform accounts. But none of this surfaces in the places humans actually look: CLI verification output, .auths.json files, and Rekor entries.
Proposed changes
1. Verification output resolves DID to human-readable name
# Current
$ auths artifact verify release.tar.gz
✓ Signed by did:key:zDnaeozdqZm6u6rx8pc8RjSFVXRdoyACavgoRMQQx1qCXvsdm
# Proposed
$ auths artifact verify release.tar.gz
✓ Signed by bordumb (did:key:zDnaeozdq...)
Identity: did:keri:ELeNxCv0DfDvlAAnt1TEvnNLO_MLT17W9Q3RBnsv9hHI
GitHub: github.com/bordumb
Resolution order:
- Check allowed signers file for email mapping
- Check attestation chain for subject metadata
- Fall back to truncated DID
2. .auths.json includes optional signer metadata
{
"signer": {
"name": "bordumb",
"email": "bordumbb@gmail.com",
"github": "bordumb",
"did": "did:key:zDnaeozdq..."
}
}This is informational (not signed over) — the cryptographic identity is still the DID. But it gives humans something to read on a release page.
3. Rekor DSSE payload type carries identity hint
The DSSE payloadType is currently application/vnd.auths+json. The payload itself contains the attestation with the issuer DID. A verifier decoding the base64 payload from Rekor can see the full identity chain. No change needed to the Rekor entry itself — the information is already there, just needs documentation on how to extract it.
What exists today
- Allowed signers file maps principals (email, DID) to public keys
auths status shows the controller DIDauths whoami shows identity info- GitHub SSH key upload links device key to GitHub account
Success criteria
A developer looking at verification output or a .auths.json file can immediately see who signed, not just which key signed.
Problem
Sigstore verification says "signed by alice@google.com." Auths verification says "signed by did:key:zDnaeozdq..." One is meaningful to a human scanning a release page. The other requires a lookup.
The underlying data exists — allowed signers files map DIDs to emails, attestation chains carry subject metadata, and GitHub SSH key uploads link DIDs to platform accounts. But none of this surfaces in the places humans actually look: CLI verification output,
.auths.jsonfiles, and Rekor entries.Proposed changes
1. Verification output resolves DID to human-readable name
Resolution order:
2.
.auths.jsonincludes optionalsignermetadata{ "signer": { "name": "bordumb", "email": "bordumbb@gmail.com", "github": "bordumb", "did": "did:key:zDnaeozdq..." } }This is informational (not signed over) — the cryptographic identity is still the DID. But it gives humans something to read on a release page.
3. Rekor DSSE payload type carries identity hint
The DSSE
payloadTypeis currentlyapplication/vnd.auths+json. The payload itself contains the attestation with the issuer DID. A verifier decoding the base64 payload from Rekor can see the full identity chain. No change needed to the Rekor entry itself — the information is already there, just needs documentation on how to extract it.What exists today
auths statusshows the controller DIDauths whoamishows identity infoSuccess criteria
A developer looking at verification output or a
.auths.jsonfile can immediately see who signed, not just which key signed.